The origin of Chr (0) in asp/vbscript and the analysis of its security problems

Time:2022-6-14

This character marks the end of the string, also known as null terminated, which is used for script programming, especiallyASPProgramming brings some trouble. Many people may ask why this special character should be retained. We can trace back to C, one of the languages that write the operating system. Children who have learned c/c++ may know that identifying the end of a string in a string depends on the end \0 (null or 0). Otherwise, it cannot be called a string, but a string array, Any function that operates on a string may encounter an exception if the incoming string loses the ending null character.

Copy codeThe codes are as follows:


char strbuf[] = “Hello”
//Equivalent to
char strbuf[] = {‘H’, ‘e’, ‘l’, ‘l’, ‘o’, ‘\0’}


One of the simple implementations of the string length judgment function:

Copy codeThe codes are as follows:


size_t strlen_a(const char * str) {
size_t length = 0;
while (*str++ )
++length;
return length;
}


It can be seen that the while loop ends with 0, so the end flag here is the \0 character at the end of the string. This string identification method can be said to be reasonable, because C language, which is a relatively low-level language, needs the efficiency of execution and better storage space control. That is to say, we need to master and allocate the space for storing strings for string variables. Generally, the allocated space for strings is much larger than the length of strings, In addition, the variables allocated in the auto mode of C language are filled with garbage values before initialization. At this time, we can load our string into this space by simply setting the last character of the string as \0 character, which effectively avoids the operation of the whole space. Another reason is that when outputting this string, we must specify where the string ends, and we can’t output the value of the entire string storage space. Hehe, Maybe the explanation is a little far fetched.

OK, let’s see why ASP/VBScriptThis feature is reserved in. We know that VBScript is a subset of VB (Visual Basic). What is VB? VB is used for Windows application development. Speaking of windows application development, it may call the API of windows system, and most of these API functions are written in C language. Obviously, in order for VB to be compatible with these APIs, strings must be introducedCHR(0)The character is vbnullchar. It also has the character of C language string processing, that is, when encountering Chr (0), it marks the end of the string. No matter what the next content is, the most classic WinAPI function call using Chr (0) character isGetLogicalDriveStrings, the drive string obtained by this API is similar to c:\<null>d:\<null><null>. Every two paths are separated by a null terminated, that is, Chr (0). Therefore, special processing is required. If VB does not support Chr (0) characters, this API will not be used, and VB application programming will be greatly reduced. But in particular, VBScript, a subset of VB, retains this feature. At present, I don’t know whether null characters are necessary in VBScript scripts, but it brings us some trouble in script writing, especially ASP, and even security risks.

For example, such a function is used to get the file extension:

Copy codeThe codes are as follows:


‘This function is for demonstration only and should not be used in production environment
Function GetFileExtensionName(filename)
Dim lastdotpos
lastdotpos = InstrRev(filename, “.”)
GetFileExtensionName = Right(filename, Len(filename) – lastdotpos)
End Function


This function is only for demonstration. Through this function, we can get the extension of an uploaded file, such as sample Jpg. Obtain JPG through the above function. If a malicious attacker constructs such an upload file name as sample asp<null>. Jpg, that is, “sample.asp” & Chr (0) & “.Jpg”, then the above function still obtains the extension JPG, while ASP will truncate the string according to Chr (0) due to the VBScript feature, so the file name becomes sample ASP, this is quite dangerous. The common method is to filter out Chr (0), such as the following functions:

Copy codeThe codes are as follows:


Function filterFileName(fileName)
filterFileName = Replace(fileName, vbNullChar, “”)
End Function


However, if this happens, it means that the user may be trying to exploit the upload vulnerability to attack the system. Therefore, I think it is more appropriate to prohibit file uploading if Chr (0) is found, so as to prevent malicious files from being uploaded after filtering, although the malicious files do not work. The regular library regexlib COM, I have found a good way to judge whether the file name is valid. Next, I provide this general function of regular matching file name for your reference:

Copy codeThe codes are as follows:


Function IsAcceptableFileName(fileName)
Set objRegExp = New RegExp
objRegExp.IgnoreCase = True
objRegExp.Global = False
objRegExp.Pattern = _
“^(?!^(PRN|AUX|CLOCK\$|CONFIG\$|” & _
“NUL|CON|COM\d|LPT\d|\..*)” & _
“(\..+)?$)[^\x00-\x1f\\?*:\””;|/]+$”
IsAcceptableFileName = objRegExp.Test(fileName)
Set objRegExp = Nothing
End Function


Isacceptablefilename function can detect whether the file name contains some illegal characters, such as 0x00~0x1f and*\/ These forbidden path characters can also detect special device names under windows, such as PRN, con, nul, etc., to avoid malicious device name file uploading.

Updated on 20 December 2011

For the implementation code of null character upload vulnerability attack, please refer to《ASP upload vulnerability using Chr (0) to bypass extension detection script